Microsoft Virtual PC Security Flaw Leaves Users Vulnerable

Researchers at Core Security Technologies are warning of a vulnerability affecting versions of Microsoft's Virtual PC software that can be used to bypass several Windows security mechanisms.

Researchers at Core
Security Technologies issued
an advisory March 16 about a new security vulnerability that leaves users
of Microsoft's Virtual PC software open to attack.
According to Core
Security, certain versions of the Virtual PC hypervisor contain a
vulnerability that allows attackers to bypass Windows security mechanisms,
including Data Execution Prevention (DEP) and Address Space Layout
Randomization. This means other bugs that are not exploitable when running in a
nonvirtualized operating system could be exploited if running within a
guest OS in Virtual PC.

"The vulnerability can be
exploited locally within a virtualized system to escalate privileges or
remotely for code execution in combination with any client-side bug for which
existing patches have not been applied or with any client-side bug for which a
fix has not been developed after dismissing the bug as not exploitable or of
low priority," Ivan Arce,
CTO of Core Security, told eWEEK in an
e-mail. "The vulnerability does not seem usable to escape from a virtualized OS
(guest) to execute code in the context of the non-virtualized OS (host). Use of
the vulnerability to implement covert inter-process communications within the
virtualized OS or to establish inter-VM (virtual machine) communication has not
been researched in full but is deemed possible."

According to the advisory,
incorrect memory management by the Virtual Machine Monitor (VMM) of
Virtual PC makes portions of the VMM worker memory available for read or
read/write access to user-space processes running in a Guest OS.
"Leaked memory pages are
mapped on the Guest OS at virtual addresses above the 2GB limit which shouldn't
be accessible for user-space programs," the advisory reads.
The bug
impacts a number of versions of the product, including Microsoft Virtual PC
2007, Virtual PC 2007 SP1, Windows Virtual PC and Microsoft Virtual Server
2005. Because Microsoft's Virtual PC hypervisor is a component of Windows
7 XP Mode, it is impacted as well.
Microsoft's
Hyper-V technology is not affected.
Core
Security reported the issue to Microsoft in August 2009, and stated that
Microsoft has said it plans to solve the problem in a future update. Microsoft
did not respond to an eWEEK request for comment by deadline.
"We
recommend affected users to run all mission critical Windows applications on
non-virtualized systems or to use virtualization technologies that aren't
affected by this bug," Arce said. "Windows operating systems and
applications that must run virtualized using Virtual PC technologies should be
kept at the highest patch level possible and monitored to detect exploitation
attempts."